Electronic device including a digital circuit for accessing encrypted data in a memory and corresponding method to access encrypted data in a memory

ABSTRACT

An electronic device includes: a non-volatile memory configured to store data including encrypted data; and a digital circuit. The digital circuit includes: a microprocessor configured to access the non-volatile memory and an internal memory; and a decryption circuit arranged on an interconnect network identifying an internal data path for exchanging the data between the non-volatile memory and the microprocessor, and connected to a memory controller of the non-volatile memory for receiving blocks of data from the non-volatile memory, the decryption circuit being configured to: perform a decryption on the fly of blocks of the data read from the non-volatile memory to obtain read decrypted data; generate first decryption masks corresponding to first blocks of data being read from the non-volatile memory at a given read address; and generate second decryption masks corresponding to second blocks of data to be read from the non-volatile memory at a next estimated read address.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to Italian Patent Application No.102017000115266, filed on Oct. 12, 2017, which application is herebyincorporated herein by reference.

TECHNICAL FIELD

Various embodiments of the present description relate to an electronicdevice including a digital circuit including a circuit, in particular amicroprocessor, to access a non-volatile memory, an internal memory, inparticular a RAM, and a non-volatile memory, in particular a flashmemory, for storing data, in particular read only data, from thenon-volatile memory, the data being stored encrypted in the non-volatilememory.

BACKGROUND

In order to guarantee security, it is known to provide the applicationcode image run by a microcontroller in an encrypted format to bothprotect the code image itself from a reverse engineering and deny theexecution of unauthorized code image. For instance, a strong encryptionalgorithm like Advanced Encryption Standard (AES) ensures a high levelof protection. However the decryption adds penalties to microprocessorperformance.

The algorithm described by AES is a symmetric-key algorithm, meaning thesame key is used for both encrypting and decrypting the data. AES isbased on a design principle known as a substitution-permutation network,a combination of both substitution and permutation, and is fast in bothsoftware and hardware implementation. At present, there is no knownpractical attack that would allow someone without knowledge of the keyto read data encrypted by AES when correctly implemented. However, thegeneration of the AES-based decryption masks is demanding in term oftime and computation: a dedicated hardware circuit is needed to minimizethe mask generation time without requiring the intervention of themicroprocessor (microprocessor off-loading).

To this regard in FIG. 1 is described a typical subsystem withoutsecurity capability, including a microcontroller 11 which includes amicroprocessor 12, which in its turn includes a cache memory 13 toaccess a RAM memory of the microcontroller 11, not shown in FIG. 1. Aninterconnect network 14, which can include a bus, allows exchanging dataand signals, for instance block of data B, with peripherals, such as anon-volatile memory, specifically an external flash memory 16, which isaccessed for writing and reading blocks B through a memory controller 16a. Such memory controller 16 a is decryption unaware, i.e. it is notconfigured to decrypt encrypted blocks of data. With the reference 15 isindicated a set of other peripherals inside the microcontroller 12 whichare accessed through the interconnect network 14 by the microprocessor11.

As shown, the microprocessor 12 can access block of data B in theexternal memory 16 through a path including the interconnect network 14and the controller 16 a, i.e. is a circuit to access the non-volatilememory 16. Since a microprocessor like microprocessor 12 (with its cachecontroller 13 enabled) typically reads block of data at a time (tens ofbytes), if such blocks of data are encrypted, to decrypt them on the flyit would be necessary to be able to decrypt an entire block of data byapplying the decryption masks to the encrypted block of data. The knownmemory controllers are decryption-unaware. However, memory controllerredesign is complicated and would compromise their maturity. Further,the state-of-the-art flash devices supports hybrid wrap burst (block ofdata) read accesses: the first burst read access occurs with latencywhereas the following burst accesses (when the address incrementslinearly) occurs without latency. A similar behavior occurs with thepre-fetch capability being implemented by the memory controllers tominimize the latency for consecutive read accesses to the flash device.The flash zero-latency implies that the decryption masks have to begenerated very quickly.

SUMMARY

An object of one or more embodiments is to provide an electronic deviceincludes a microprocessor based digital circuit that solves thedrawbacks of the prior art and in particular provides a flexiblearchitectural topology and easy design integration.

According to one or more embodiments, the object is achieved by anelectronic device having the characteristics described herein. One ormore embodiments may refer to a corresponding method as well as to acomputer program product that can be loaded into the memory of at leastone computer and includes parts of software code that are able toexecute the steps of the method when the product is run on at least onecomputer. As used herein, reference to such a computer program productis understood as being equivalent to reference to a computer-readablemedium containing instructions for controlling the processing system inorder to co-ordinate implementation of the method according to theembodiments. Reference to “at least one computer” is evidently intendedto highlight the possibility of the present embodiments beingimplemented in modular and/or distributed form.

According to the solution described herein, it is described anelectronic device including a digital circuit, including a circuit, inparticular a microprocessor, to access a non-volatile memory, aninternal memory, in particular a RAM, and a non-volatile memory, inparticular a flash memory, for storing data, in particular read onlydata, from the non-volatile memory, the data being encrypted and storedin the non-volatile memory, wherein the digital circuit includes adecryption circuit configured to perform a decryption on the fly ofblocks of data read from the non-volatile memory stored encrypted in thenon-volatile memory to obtain read decrypted data, the decryptioncircuit being arranged interposed on a interconnect network identifyinga data path for exchanging data between the non-volatile memory and thecircuit to access a non-volatile memory, and connected to a memorycontroller of the non-volatile memory for receiving the blocks of dataread from the non-volatile memory corresponding to the data storedencrypted. The decryption circuit may be configured to generatedecryption masks corresponding to the blocks of data being read from thenon-volatile memory at a given read address and to generate decryptionmasks corresponding to second blocks of data read from the non-volatilememory at a next estimated read address.

In variant embodiments, the digital microcontroller is a microprocessorbased digital circuit, in particular a digital microcontroller,preferably an ARM-based microcontroller, including a microprocessor, aninternal memory, in particular a RAM, and a non-volatile memory, inparticular a flash memory, for storing data including a user applicationcode image, the microcontroller being configured to operate according toan execution flow, in particular an eXecution-In-Place (XIP) flow,including the microprocessor fetching instructions of the userapplication code image from the non-volatile memory and executing theinstructions, the instructions of the user application code image beingstored encrypted in the non-volatile memory, the digital circuitincluding the decryption circuit configured to perform a decryption onthe fly of blocks of data read from the non-volatile memorycorresponding to the instructions stored encrypted in the non-volatilememory to obtain read decrypted instructions, the decryption circuitbeing arranged interposed on the interconnect network identifying a datapath for exchanging data between the non-volatile memory and themicrocontroller, and connected to a memory controller of thenon-volatile memory for receiving the blocks of data read from thenon-volatile memory corresponding to the instructions stored encrypted.

In variant embodiments, the digital microcontroller includes a securitysubsystem circuit, in particular a Hardware Security Module, connectedto a security interconnect network identifying a secure data path toexchange security information including encryption parameters withcircuits of the microcontroller, the decryption circuit being alsoconnected to the security subsystem circuit being connected to thesecurity interconnect network to receive encryption parameters.

In variant embodiments, the decryption circuit includes an internalcontrol path for exchanging the secure information with an internaldecryption circuit, separated from an internal data path for exchangingdata between the controller and the non-volatile memory.

In variant embodiments, the control path includes registers connectedthrough interfaces to the security interconnect network, the registersbeing accessible via a dedicated port to which the security subsystemcircuit is connected through the security interconnect network to managethe security of data transiting on the dedicated port, the registersbeing both write-only and write-once and the microcontroller, theregisters exchanging security information with a decryption circuitunder the control of a control circuit configured to monitor theinterface transactions occurring on the internal data path.

In variant embodiments, the decryption circuit includes a simplified AEScore configured to generate masks on the basis of the encryptionparameters in the security information and hardware decryption circuitryto combine the decryption masks with the encrypted data, in particularincluding a circuit performing an exclusive OR, or XOR, operation,between the read data and the mask from the AES core.

In variant embodiments, the decryption circuit includes a bypass circuitto allow data which do not require the decryption, in particular theapplication data if the non-volatile memory is configured to store boththe user application code image data and application data, to remainunchanged, in accordance with the commands being received from thecontrol circuit on the control path.

In variant embodiments, the AES core is configured to perform an AESdecryption calculating speculative decryption masks in advance toperform hardware decryption without adding latency.

It is also described a method to access encrypted data in a non-volatilememory from a device as described above, including fetching instructionsstored encrypted in the non-volatile memory of the user application codeimage from the non-volatile memory and executing the instructions,further including performing a decryption on the fly of the instructionsstored encrypted in the non-volatile memory.

In variant embodiments, the flow includes the following operations:first performing a system initialization; and then the microprocessorbegins the execution of the decrypted instruction read from the flashmemory, decrypted in read cycle by the decryption circuit.

In variant embodiments, the flow is an eXecution-In-Place (XIP) flow.

It is also described a computer program product that can be loaded intothe memory of at least one computer and includes parts of software codethat are able to execute the steps of the method above when the productis run on at least one computer.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will now be described purely by way of a non-limitingexample with reference to the annexed drawings, in which:

FIG. 1 was discussed in the foregoing;

FIG. 2 represents schematically a first embodiment of the solution heredescribed;

FIG. 3 represents schematically a preferred embodiment of the solutionhere described;

FIG. 4 represents schematically a further embodiment of the solutionhere described;

FIG. 5 represents schematically another further embodiment of thesolution here described;

FIG. 6 represents schematically a circuit of the embodiment of FIG. 3;

FIG. 7 represents schematically a sub-circuit of the circuit of FIG. 6;and

FIG. 8 represents a flow of operations performed by the solution heredescribed.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

The ensuing description illustrates various specific details aimed at anin-depth understanding of the embodiments. The embodiments may beimplemented without one or more of the specific details, or with othermethods, components, materials, etc. In other cases, known structures,materials, or operations are not illustrated or described in detail sothat various aspects of the embodiments will not be obscured.

Reference to “an embodiment” or “one embodiment” in the framework of thepresent description is meant to indicate that a particularconfiguration, structure, or characteristic described in relation to theembodiment is included in at least one embodiment. Likewise, phrasessuch as “in an embodiment” or “in one embodiment”, that may be presentin various points of the present description, do not necessarily referto the one and the same embodiment. Furthermore, particularconformations, structures, or characteristics can be combinedappropriately in one or more embodiments.

The references used herein are intended merely for convenience and hencedo not define the sphere of protection or the scope of the embodiments.

Various embodiments may apply e.g. to an electronic device such as aGlobal Navigation Satellite System integrated circuit including amicroprocessor based digital circuit and storing in the non-volatilememory a user application code image, the microcontroller beingconfigured to operate according to a XIP execution flow-Place).

Various embodiments may apply e.g. to preferably an ARM-basedmicrocontroller.

The solution here described refers to a decryption hardware circuitwhich avoids redesign of memory controllers by implementing an externaldecryption hardware circuit that can be connected to such controllers asa memory controller external add-on. Such decryption hardware circuit isable to decrypt an entire block of data on-the-fly by applying thedecryption masks to the encrypted block of data. In order to address theflash zero-latency the decryption masks are generated in advance, with amasks speculation procedure.

The hardware circuit is configured to quickly generate the decryptionmasks for the current decryption burst and the speculative decryptionmasks for the next decryption burst, in order to decrypt a stream ofdata without adding further latency. Also the decryption hardwarecircuit provides protection of the decryption parameters (AES keys andvectors) used by the decryption circuit against “hacking”, beingconfigured so that the programming of the AES parameters occurs with aseparate secure path with respect to the data path and the AESparameters read-back must be impossible. When the circuit is enabled todecrypt, it cannot be disabled anymore and the parameters areunchangeable. Therefore the circuit configured to perform a decryptionincludes registers which are accessible via a dedicated port, configuredas both write-only and write-once.

More in detail, with reference to FIG. 2, a schematic solution of amicrocontroller 21 is described. The architecture is similar to the oneof microcontroller 11 described with reference to FIG. 1, i.e. itincludes the microprocessor 12 and cache memory 13 to access for readingand writing a RAM memory of the microcontroller 21, not shown in FIG. 2.The interconnect network 14, which can include a bus, allows exchangingdata and signals, for instance block of data B, with the peripherals 15and a non-volatile memory 26, specifically an external flash memory,which is accessed for writing and reading encrypted blocks CB through asecure memory controller 26 a. Such secure memory controller 26 aincludes the decryption unaware memory controller 16 a, which exchangesencrypted block of data CB with the non-volatile memory 16. However,placed between the controller 16 and the interconnect network 14, thesecure memory controller 26 a includes a decryption circuit 22, i.e. acircuit configured to perform a decryption on the fly, i.e. during theread cycle, of the blocks of data CB, in particular of instructions ofthe application code stored encrypted in the non-volatile memory 16. Thedecryption circuit 22 decrypts the encrypted blocks of data CB comingfrom the flash memory 16, through the memory controller 16 a, andsupplies them as decrypted block B over the interconnect network 14 tothe microprocessor 12.

The decryption circuit 22 is configured to be part of the digitalmicrocontroller subsystem, which has a limited internal memory, i.e. theRAM memory connected to the cache 13, a user application code image AC,containing instructions, being stored inside the non-volatile flashmemory 16.

Preferably, the microcontroller 21 is configured to perform aneXecution-In-Place (XIP) procedure, which allows the microprocessor 12to fetch and execute the instructions of the user application code imageAC from the flash memory 16, instead of first copying them to theinternal RAM memory 13 before their execution. The decryption circuit 22allows performing the XIP procedure with an encrypted user applicationcode AC, i.e. as encrypted blocks of data CB, to be performed withoutpenalties to microprocessor performance.

Preferably the electronic device including the microcontroller 21 is aGlobal Navigation Satellite System integrated circuit, i.e. apositioning device, the microcontroller 21 being an ARM-basedmicrocontroller. The application data stored in the flash memory 16 areor include positioning data, while the encrypted user application codeimage AC contains the instruction to manage the operations of the GlobalNavigation Satellite System integrated circuit.

An execution operation flows with encrypted application code includesthe following steps: in a first step it is performed systeminitialization, e.g. a configuration of the hardware device; and in asecond step the microprocessor 12 begins the execution of the decryptedcode, i.e. instructions in blocks B, from the flash memory 16, becausethe code is decrypted on-the-fly, i.e. during the same read cycle, bythe circuit 22.

This represents a far simpler and quicker procedure than the standardprocedure which, after the system initialization, requires that theencrypted blocks CB of the application code AC are copied from theexternal flash memory 16 to the internal RAM memory 13 a, then themicroprocessor 12 decrypts the encrypted code and copy the decryptedcode inside the internal memory 13 a, then the microprocessor 12 beginsthe execution of the decrypted code from the RAM memory 13 a.

The XIP procedure allows the microprocessor 12 to start the execution ofthe code faster than with the standard methodology and to design deviceswith less internal RAM memory. The XIP procedure also avoids that thedecryption algorithm and decryption parameters are accessible.

FIG. 3 presents a preferred embodiment of the solution here described,which includes use of a security subsystem circuit, namely a HardwareSecurity Module, or HSM. State-of-the-art devices with microcontrollersubsystems embed a security subsystem, i.e. the Hardware Security Modulewhich is in charge of the management of the security. The HSM is aphysical computing device that safeguards and manages digital keys forstrong authentication and provides crypto-processing. As a separateresult, the main microprocessor cannot access to the securityinformation (encryption keys, encryption parameters) and securitycontrols (i.e. it cannot disable the decryption).

To this regard in FIG. 3 is represented a microcontroller 31 whichcorresponds to the microcontroller 21, but, in addition, includes aHardware Security Module 23. The Hardware Security Module 23 isconnected to a security interconnect network 24 to exchange securityinformation SD with the circuits of the microcontroller 30 and, inparticular with the decryption circuit 22, specifically supplyingencryption parameters to such decryption circuit 22.

The security information SD includes the decryption parameters, inparticular the AES keys and vectors used by a decryption circuit 224,specifically an AES Core 224 a, as shown in FIGS. 6 and 7, which must beprotected against “hacking”. The programming of the AES parameters inthe decryption circuit 224 occurs through a separate secure path, i.e.the secure interconnection network 24, with respect to the data path,represented by the interconnect network 14, and the AES parametersreadback is thus made impossible. When the decryption circuit 22 isenabled to decrypt it cannot be disabled anymore and the parameters arebe unchangeable. The registers of the decryption circuit 22, as bettershown with reference to FIG. 7, which are accessible only via adedicated port, both write-only and write-once.

To this regard, in FIG. 6 is shown a schematic of the decryption circuit22.

A secure path interface 221 s interfaces the circuit 22 with the secureinterconnect network 24 to exchange the security information SD. Acorresponding interface 241 s is provided on the secure interconnectnetwork 24.

A data path interface 221 d interfaces the decryption circuit 22 withthe interconnect network 14 to exchange the data, for instance the blockof data B. A corresponding interface 141 d is provided on theinterconnect network 14.

From the secure path interface 221 s start an internal secure data path,labeled as control path CP, for the secure information SD, in thedecryption circuit 22, while from the data path interface 221 d startsan internal data path DP for the data to be written WB and data to beread RB.

On the control path CP are arranged registers 222 to store the AESparameters being used for the decryption in the security information SD,in particular the encryption keys and parameters for the AES core 224 awhich performs the AES decryption are provided. A control circuit 223 isconfigured to monitor the interface transactions occurring on the datapath DP, recognize the transactions to be decrypted and send commands tothe decryption circuit 224 accordingly.

The decryption circuit 224, as better shown in FIG. 7, is a circuitembedding the AES core 224 a for the decryption masks generation, thehardware decryption circuitry to combine the decryption masks with theencrypted data and a bypass circuit to allow the data which do notrequire the decryption, for instance the application code, to remainunchanged, in accordance with the commands being received from thecontrol circuit 223.

The decryption circuit 224 receives the encrypted read data in theencrypted blocks CB from the flash memory 16 through a data pathinterface 225 d arranged in the decryption circuit 22 and acorresponding data interface 161 in the non-volatile memory 16.

The internal data path DP includes a write path WP which sends the writedata WB directly to the data path interface 225 d and then to thenon-volatile memory 16 for writing operations. These write data WB canbe encrypted by the microcontroller 31 or by another device associatedto the microcontroller 31. The internal data path DP includes also aread path RP, which starts from the non-volatile memory 16, passesthrough the decryption circuit 22 (through interfaces 225 d and 161) andreaches, after undergoing decryption at decryption circuit 224, as readblocks RB, the data path interfaces 221 d and 141 d to be propagated onthe interconnect network 14 to the microprocessor 12, for instance forexecution according to the XIP procedure.

The decryption circuit 22 has compatible interfaces to be connected tothe existing interconnect interfaces, which are specifically ARMAdvanced Peripheral Bus (APB) 142 (the secure path interfaces 141 a, 221s) and memory controller interfaces Advanced High-performance Bus (AHB)143 (the data path interfaces, 141 d, 221 d and 225 d, 161).

As mentioned, the decryption circuit 22 provides a control path CP,which is a secure path including circuits 221S, 222, 223, 224, beingseparated from the data path DP (circuits 211 d, 225 d). The AESparameters and control commands can be programmed into registers 222,which are write-only and write-once, via the secure path SP to preventagainst hacking.

In FIG. 7 it is shown a block schematics detailing the decryptioncircuit 224. Such decryption circuit 224 as mentioned includes the AEScore 224 a, which receives the secure information SD, namely the AESkey, the AES Initialization Vector and the address of the data todecrypt, generating the corresponding decryption masks M (and alsospeculative masks SM).

The speculative masks SM are calculated by way of a speculativeprocedure, in which, for instance, the mask generated depends on theaddress of the block of data. When the main processor (via its cachecontroller) issues a read to the memory, the decryption circuit 224starts generating the decryption mask M. As soon as the mask M isgenerated, the decryption circuit 224 speculatively generates the maskSM for the block being at the next consecutive linear address, i.e.speculates that the block at the next consecutive linear address is thenext block that will be read. Hence, if the cache performs a read tothis block, the speculated mask SM is already available. As a state-ofthe-art flash memory introduces a latency only on the first block read,but none for the following linear blocks, this solution avoids thedecryption block to add some latency on decryption of subsequent blockread.

The AES core 224 a is preferably a specialized version of ageneral-purpose AES core in order to just generate the decryption masksM, so that such specialized AES core 224 a can be faster, enhancing thedecryption speed, and use less resources, i.e. less area on the chipthan the general purpose AES core.

For instance the AES core 224 receives the AHB address of the data todecrypt (32 bits) and the AES Initialization Vector (128 bit), which aresummed one with the other, and on a separate input, the AES key (128bits), which are then used by the AES Core 224 a in way per se known toobtain the mask M.

Such decryption masks M, SM are supplied to a block 224 d performing anexclusive or, or XOR, operation with the corresponding data read fromthe flash memory 16. These read data are in general encrypted data CB,however they may also be not encrypted data, although in FIG. 7 forsimplicity all these data are indicated with the reference CB. For thisreason, decrypted data from the XOR block 224 d are sent to an input ofa multiplexer 224C while the data read from the memory 16 are also sentdirectly to another input of the multiplexer 224 c.

The hardware XOR operation at block 224 d of the decryption mask M (orspeculative mask SM) with data CB read from the flash memory 16 occurswithout adding delay (latency) to the decrypted data. A decryptionmonitor circuit 224 b is configured to determine if the data CB from theflash memory 16 must be decrypted, because it is a block of code imagedata or not, controlling correspondingly the outputs of the multiplexer224 c. The decryption monitor circuit 224 b monitors the transactiontype and the address range, by reading the internal data path DP.

In FIG. 8 it is shown a diagram representing access operations forreading the memory 16 by the microprocessor 12, represented through thecache memory 13.

The first row in the diagram represents the reading addresses RA sent insequence by the microprocessor 12 to access the memory 16. As a firstread is sent a read address RA1 (first column, columns representssubsequent read cycles, or decryption bursts). The memory 16 suppliesthe corresponding block of data CB(RA1) with a latency LT, as shown inthe second row, representing the response of memory 16. Operations ofthe decryption circuit 22 are shown in the third row (data decryption),fourth row (both mask and speculative mask generation), and fifth row(speculative mask generation only). The decryption circuit 22 generates(fifth row) a decryption mask M1 and generates then a speculative maskSM1 therefrom, generating the mask corresponding to the next estimatedread address, specifically the next consecutive linear address. Adecryption operation DC(M1) with the first decryption mask M1, whichcorresponds to performing a XOR between the mask M1 and the block ofdata CB(RA1), is performed, originating the corresponding decrypted readblock RB sent to the cache 13. The second column shows a consecutiveread, address is RA2=RA1+1, the block of data obtained is CB(RA2), whichis decrypted by operation DC(SM1) using the speculative mask SM1generated at the previous read cycle. A second speculative mask SM2 isalso generated. Then, in the next read cycle (third column), a furtherconsecutive read is performed, address is RA3=RA2+1, the block of dataobtained is CB(RA3), which is decrypted by operation DC(SM2) using thesecond speculative mask SM2 derived at the previous read cycle. A thirdspeculative mask SM3 is also obtained during this cycle. Then, in thenext and final read cycle, a non-consecutive read is performed, i.e. theread address in incremented by five, is RA4=RA3+5. This means that thethird speculative mask SM3 cannot be used, thus the third speculativemask SM3 is disposed (operation DS). The memory 16 supplies thecorresponding block of data CB(RA4) with a latency LT, as shown in thethird row, representing the response of memory 16. The decryptioncircuit 22 generates a second decryption mask M2 and derives then afourth speculative mask SM4 therefrom. A decryption operation DC(M4)with the second decryption mask M2 is performed.

This shows how the flash zero-latency reads require the decryption masksto be generated in advance (masks speculation) and how a specializedhardware circuitry is required to quickly generate the decryption masksM for the current decryption burst and the speculative decryption masksfor the next decryption burst, in order to decrypt a stream of datawithout adding further latency. The AES core is a simplified corespecialized in order to generate the 128 bit decryption mask as fast aspossible, with the lowest hardware resources. The AES core is configuredto generate a decryption mask in only 11 clock cycles.

The AES core can be used mostly in two ways—as a block cipher (that isdata are encrypted/decrypted by the AES core) or as a stream cipher (theAES core is used to generate a mask that is XORed with data, i.e. anexclusive OR is performed between the mask and the data). The drawbackof the block cipher mode is that it is possible to start using the AEScore only when the data is available. Thus, it is taken in considerationthe full latency of AES processing. With stream cipher, the maskgeneration is independent of data availability and can usually bestarted in advance. Hence, part or all the AES latency can be removed.

Under this view, the simplified AES core is configured to only implementencryption as the same mask is used for encryption and decryption. Forencryption, clear text, i.e. data, is XORed with a mask, obtainingcyphered text. In decryption, such cipher text is XORed with the samemask which provides the clear text.

Summarizing the simplified AES core 224 a is configured to operate onlyin encryption mode and the decryption circuit 224 is configured to usethe simplified AES core 224 a only as a stream cipher, generatingdecryption masks M, SM, which are supplied to block 224 d to perform anexclusive or, or XOR, operation with the corresponding data read fromthe flash memory 16. The decryption masks M, SM are the same used toencrypt the data read from the flash memory 16.

FIGS. 4 and 5 show two variant embodiments. In FIG. 4 the decryptioncircuit 22 is connected directly to the processor 12, i.e. between theprocessor 12 and the interconnect network 14, so that only the data tothe processor 12 are decrypted, while there are no decrypted data on theinterconnect network 14.

In FIG. 5 it is shown an embodiment with more than one non-volatilememory 16, in particular two memories 16 ₁ and 16 ₂ that the processor12 can access. In this case are provided two secure controllers 26 ₁ and26 ₂, one for each non-volatile memory, which are connected to theinterconnect network 14. A unique Hardware Security Module 23 isprovided which supplies the security information SD on the secureinterconnect network to the two secure controllers 26 ₁ and 26 ₂ inparallel.

The solution according to the various embodiments here described allowsto obtain the following advantages.

This solution advantageously provides that the hardware decryption isperformed without adding latency, in particular by providing speculativedecryption masks.

Also, a simplified hardware to generate decryption masks without theintervention of the microprocessor is used by employing an optimized AEScore.

The solution described provides a flexible architectural topology andeasy design integration.

The solution described provides separate paths for application code dataand secure data.

The solution described provides decryption of application code andtransparency with application data.

Of course, without prejudice to the principle of the embodiments, thedetails of construction and the embodiments may vary widely with respectto what has been described and illustrated herein purely by way ofexample, without thereby departing from the scope of the presentembodiments.

The depicted implementation is designed specifically for an ARM-basedmicrocontroller subsystem, but it can be generalized according todifferent architectures (and interfaces) and caches (different size ofblock of data).

The encryption process of the data stored in the flash memory preferablyis an off-line software flow using a computer to program the flashmemory with the encrypted code image by using a flash loaderapplication. In variant embodiments first the source code is compiled,for instance in an external computer, as code image, then the codeimage, by the same or another computer, is encrypted using a AESalgorithm making use of the AES key, the AES Initialization Vector andthe range address of the data to encrypt, obtaining the encrypted codeimage AC, which is then stored in the flash memory with the flash loaderapplication.

In variant embodiments an encryption process different from AES can beused.

The electronic device including the decryption circuit here described isparticularly efficient in performing a decryption on-the-fly of the codeimage stored inside a non-volatile memory without penalty (no latency,no microprocessor intervention, . . . ) in a XIP scenario, however itdoes not need to recognize a XIP flow to operate. The electronic deviceincluding the decryption circuit here described recognizes the typicalread transactions performed by the cache during the cache linefills.Therefore the electronic device including the decryption circuit heredescribed can be used to access in general a non-volatile memory storingencrypted data which are preferably read-only data. These read-only datacan include application code image, but in variant embodiments can bealso different kinds of data, for instance constant data. A DMA (DirectMemory Access) device is then able to perform read transactions like thecache ones, i.e. it can represent a circuit to access the non-volatilememory. When the DMA performs “cache-like” read transactions to thedecryption circuit, the data are decrypted as well. In general thedecryption circuit can decrypt on the fly encrypted information (code ordata) when triggered by specific read transactions.

What is claimed is:
 1. An electronic device, comprising: a non-volatilememory configured to store data, wherein the data comprises encrypteddata; and a digital circuit, comprising: a microprocessor configured toaccess the non-volatile memory and an internal memory; and a decryptioncircuit arranged on an interconnect network identifying an internal datapath for exchanging the data between the non-volatile memory and themicroprocessor, and connected to a memory controller of the non-volatilememory for receiving blocks of data from the non-volatile memory, thedecryption circuit being configured to: perform a decryption, on thefly, of blocks of the data read from the non-volatile memory to obtainread decrypted data; generate first decryption masks corresponding tofirst blocks of data being read from the non-volatile memory at a givenread address; and generate second decryption masks corresponding tosecond blocks of data to be read from the non-volatile memory at a nextestimated read address, wherein the decryption circuit comprises abypass circuit to allow data which do not require decryption to remainunchanged in accordance with commands being received from a controlcircuit configured to monitor transactions occurring on an internalcontrol path.
 2. The device according to claim 1, wherein the internalmemory comprises a random-access memory.
 3. The device according toclaim 1, wherein the data comprises read-only data.
 4. The deviceaccording to claim 1, wherein the non-volatile memory comprises a flashmemory.
 5. The device according to claim 1, wherein the microprocessorcomprises a digital microcontroller, wherein the data comprises a userapplication code image, wherein the digital microcontroller isconfigured to: operate according to an execution flow comprising aneXecution-In-Place (XIP) flow; fetch instructions of the userapplication code image from the non-volatile memory, wherein theinstructions of the user application code image are stored encrypted inthe non-volatile memory; and execute the instructions of the userapplication code image.
 6. The device according to claim 5, wherein thedigital microcontroller comprises a security subsystem circuit connectedto a security interconnect network identifying a secure data path toexchange security information including encryption parameters with thedigital microcontroller, the decryption circuit also being connected tothe security subsystem circuit.
 7. The device according to claim 6,wherein the security subsystem circuit comprises a Hardware SecurityModule.
 8. The device according to claim 6, wherein the decryptioncircuit comprises the internal control path for exchanging the securityinformation with an internal decryption circuit, separated from theinternal data path.
 9. The device according to claim 8, wherein theinternal control path comprises at least one register connected throughat least one interface to the security interconnect network, the atleast one register being accessible via a dedicated port to which thesecurity subsystem circuit is connected through the securityinterconnect network to manage a security of the data transiting on thededicated port, the at least one register being a write-only and awrite-once register, the at least one register being configured toexchange security information with the decryption circuit under controlof a control circuit configured to monitor transactions occurring on theinternal data path.
 10. The device according to claim 9, wherein thedecryption circuit comprises an Advanced Encryption Standard (AES)decryption circuit comprising a simplified AES core configured togenerate the first decryption masks and the second decryption masks on abasis of the encryption parameters in the security information and ahardware decryption circuitry to combine the first decryption masks andthe second decryption masks with the encrypted data, the hardwaredecryption circuitry comprising a circuit performing an exclusive ORoperation between the data and the first decryption masks or the seconddecryption masks supplied from the simplified AES core.
 11. The deviceaccording to claim 10, wherein the simplified AES core is configured tooperate only in encryption mode, and wherein the decryption circuit isconfigured to use the simplified AES core as a stream cipher to generatea mask supplied to the circuit of the hardware decryption circuitry. 12.The device according to claim 11, wherein the simplified AES core isconfigured to perform an AES decryption calculating speculativedecryption masks corresponding to the second blocks of data read,wherein the next estimated read address corresponds to a nextconsecutive linear address to perform hardware decryption without addinglatency.
 13. The device according to claim 1, wherein the device is aGlobal Navigation Satellite System integrated circuit.
 14. A method toaccess encrypted data in a non-volatile memory, the method comprising:fetching instructions of a user application code image from anon-volatile memory, the user application code image being encrypted andstored in the non-volatile memory; executing the instructions of theuser application code image; performing, by a decryption circuit, adecryption, on the fly, of the instructions of the user application codeimage encrypted and stored in the non-volatile memory; and generatingfirst decryption masks corresponding to first blocks of data being readfrom the non-volatile memory at a given read address; and generatingsecond decryption masks corresponding to second blocks of data to beread from the non-volatile memory at a next estimated read address,wherein the next estimated read address comprises a next consecutivelinear read address.
 15. The method according to claim 14, furthercomprising: performing a system initialization; and executing, by amicroprocessor, decrypted instruction read from the non-volatile memory,decrypted in a read cycle by the decryption circuit.
 16. The methodaccording to claim 15, wherein steps of the method comprise aneXecution-In-Place flow.
 17. The method according to claim 14, furthercomprising: allowing data which do not require decryption to remainunchanged in accordance with commands received from a control circuitconfigured to monitor transactions occurring on an internal controlpath.
 18. A non-transitory computer-readable storage medium storing aprogram to be executed by a processor, the program includinginstructions for: fetching instructions of a user application code imagefrom a non-volatile memory, the user application code image beingencrypted and stored in the non-volatile memory; executing theinstructions of the user application code image; performing, by adecryption circuit, a decryption, on the fly, of the instructions of theuser application code image encrypted and stored in the non-volatilememory; generating first decryption masks corresponding to first blocksof data being read from the non-volatile memory at a given read address;and generating second decryption masks corresponding to second blocks ofdata to be read from the non-volatile memory at a next estimated readaddress, wherein the next estimated read address comprises a nextconsecutive linear read address.
 19. The non-transitorycomputer-readable storage medium according to claim 18, wherein theprogram further includes instruction for: allowing data which do notrequire decryption to remain unchanged in accordance with commandsreceived from a control circuit configured to monitor transactionsoccurring on an internal control path.
 20. An electronic device,comprising: a microprocessor having an internal memory and configured toaccess a non-volatile memory that is configured to store encrypted datacomprising an user application code image; a bus identifying an internaldata path for exchanging the encrypted data between the non-volatilememory and the microprocessor; a memory controller of the non-volatilememory for receiving blocks of data from the non-volatile memory; adecryption circuit arranged on the internal data path between the memorycontroller and the microprocessor, and configured to decrypt theencrypted data on the fly, the decryption circuit being configured to:perform a decryption, on the fly, of blocks of the data read from thenon-volatile memory to obtain read decrypted data; and supply thedecrypted blocks of the data over the bus to the microprocessor, whereinthe decryption circuit is external to the microprocessor as part of amicrocontroller subsystem, wherein the decryption circuit comprises abypass circuit to allow data which do not require decryption to remainunchanged in accordance with commands being received from a controlcircuit configured to monitor transactions occurring on an internalcontrol path.
 21. The device according to claim 20, wherein thedecryption circuit is further configured to: generate first decryptionmasks corresponding to first blocks of data being read from thenon-volatile memory at a given read address; and generate seconddecryption masks corresponding to second blocks of data to be read fromthe non-volatile memory at a next estimated read address.
 22. The deviceaccording to claim 21, wherein the decryption circuit comprises anAdvanced Encryption Standard (AES) decryption circuit comprising asimplified AES core configured to generate the first decryption masksand the second decryption masks on a basis of encryption parameters insecurity information and a hardware decryption circuitry to combine thefirst decryption masks and the second decryption masks with theencrypted data, the hardware decryption circuitry comprising a circuitperforming an exclusive OR operation between the data and the firstdecryption masks or the second decryption masks supplied from thesimplified AES core.